Page MenuHomePhabricator
Create Task
Maniphest T360721

Update the image used by the python-bandit appsec include
Open, Needs TriagePublic
Actions

Description

Currently, our bandit appsec include is expecting to use one of the python3-build images under docker-registry.wikimedia.org. But its apt calls aren't working now (example) because those images are now too locked down. So let's update the include (and the doc) to use a more generic bookworm (or similar) image.

  • Update comments and apt calls within the include file (MR34)
  • Update callers of the include (I think just Wikimedia Code Health Check for now...)
  • Update the relevant mediawiki.org doc (edit)

Details

TitleReferenceAuthorSource BranchDest Branch
Refactor python bandit templaterepos/security/gitlab-ci-security-templates!34sbassettT360721-refactor-python-bandit-includemain
Customize query in GitLab

Related Objects
Search...

Event Timeline

sbassett created this task.Mar 21 2024, 9:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 21 2024, 9:35 PM
CodeReviewBot added a project: Patch-For-Review.Mar 22 2024, 2:35 PM

sbassett opened https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/34

Refactor python bandit template

sbassett updated the task description. (Show Details)Mar 22 2024, 2:48 PM
sbassett moved this task from Backlog to In Progress on the GitLab-Application-Security-Pipeline board.Mar 25 2024, 5:26 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
CodeReviewBot added a comment.Mar 25 2024, 6:01 PM

mmartorana merged https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/34

Refactor python bandit template

sbassett updated the task description. (Show Details)Mar 25 2024, 6:14 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 25 2024, 6:30 PM
sbassett added a comment.EditedMar 28 2024, 10:29 PM

Via the new appsec pipeline metrics cli (T342467), I was able to find that only a couple of repos are using the bandit include right now:

'wikimedia-code-health-check' ['repos/security/gitlab-ci-security-templates / main / /python-bandit/python-bandit-ci.yml'] 

'ci-cd-testing-gitlab-ci-security-templates' ['repos/security/gitlab-ci-security-templates / main / generic-osv/osv-ci.yaml', 'repos/security/gitlab-ci-security-templates / main / golang-go-mod-outdated/go-mod-outdated-ci.yml', 'repos/security/gitlab-ci-security-templates / main / golang-gosec/golang-gosec-ci.yml', 'repos/security/gitlab-ci-security-templates / main / npm-outdated/npm-outdated-nodejs-ci.yml', 'repos/security/gitlab-ci-security-templates / main / php-composer-outdated/php-composer-outdated-ci.yml', 'repos/security/gitlab-ci-security-templates / main / php-phan-taint-check/php-phan-taint-check-ci.yml', 'repos/security/gitlab-ci-security-templates / main / php-security-checker/php-security-checker-ci.yml', 'repos/security/gitlab-ci-security-templates / main / python-bandit/python-bandit-ci.yml', 'repos/security/gitlab-ci-security-templates / main / secret-seeker/seeking-secrets.yaml', 'repos/security/gitlab-ci-security-templates / main / semgrep/semgrep-ci.yml']
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits